Identifying the gaps in IT security talent retention

I always rave about the people I get to work with. I think it’s essential for any professional wanting to grow a career to engage enlightened and successful mentors. In particular, people who are getting paid for doing what they love and are giving back to their sector.

One of these inspiring people is David Joao Vieira Carvalho, CISO for OCS Group. David is one of the youngest CISOs in Europe and it shows – in the best way possible. David has energy, passion and all the good stuff you’d expect from a dynamic young leader. In addition, I asked David to join our advisory committee, effectively a group of uber smart business leaders who guide the direction of content we deliver at our events.

I’m sharing a part of a conversation I recently had with David where he speaks about the all important talent retention challenge in the market. Take a read and share your opinion and or ideas for innovating the retention model.

NJ: David, what do regard as the greatest challenge for CISOs in 2017?

DJVC: “I believe the biggest challenge in 2017 for CISOs, besides the traditional threats and risks to the business, is regarding Talent Retention in a world where supply is way smaller than demand. Specifically, recruiting and keeping talented cyber security professionals at all levels, but mainly at senior levels.

I feel that there is a severe misconception of what actually makes a cyber security professional ‘good’, and most of hiring and retention issues come from that same misconception.

Being a one of the youngest Cyber-Security leaders in Europe, and being involved in the Cyber domain all my career, I have experienced personally the underlying perception problems related to this domain of work, these end in most cases debilitating the whole process, and making it harder to keep talent inside the company.

At the core of this perception issue, in my opinion, is the idea that Cyber-Security professionals are basically just like any other professionals from other industry spaces, this is a mistake, young cyber-security professionals such as myself have no specialised University Course on Cyber-Security the vast majority of the time. We do not possess long careers (cyber security positions haven’t been available for decades as full time positions, or at all in most organisations), we as Cyber-Security professionals had no ‘push’ from parents or society to adhere to a specific well defined study-work standard … we had none of this. What we have is a deep passion to self-teach and are highly curious tinkerers, we are passionate people in a very, very young and fast-changing environment that, over time have learned to dominate one or more areas of Cyber-Security through our own means, we are self taught using all manner of structured and unstructured resources we see online, as such we do look to expand our knowledge and keep learning about what it is that we love doing. And at the end of the day, a full-time position is an extension of this way of life, of this ethos.

So when I see a company not providing training and certifications on technologies that the cyber-security professional is passionate about, this leads to natural frustration, as he is not looking just for a paycheck that reflects what he learned on his university course, he is looking to fund himself/herself and his passion as well, and will invariably leave the position taking all the internal knowledge with him, this has the potential to increase Risk within the organisation.

Companies must also focus on investing in educating the hiring managers in this context, it is often usual to see requirements such as certain certifications or university levels for positions being pushed forward that heavily restrict the candidate pool without providing much of a real ‘proof of technical and real world knowledge’ in the cyber domain, this creates a potential handicap for the organisation.

Even though it might seem counter intuitive what I am about to say, I have to admit that I know as many IT professionals that are now Cyber-security professionals as I know people that were everything from elevator-repairman to theater actors, that are as good in Cyber as their IT educated counterparts. I feel that in this cyber environment that we live today, proof of talent is orders of magnitude more important than anything else for hiring purposes.

An organisation that sees the risks of an attack as extremely important for its survivability and that ‘wants the best people’, naturally, instead of focusing on background traditional education or how ‘businessy’ the person looks in the interview, should first focus on providing awareness to hiring managers, concluding due to the lack of the aforementioned, many job descriptions call for decades of experience with technologies that have only been around for some years, ’10 years of DarkTrace or FireEye experience’, for example, isn’t going to be realistic, as these technologies haven’t even been around for that amount of time.

This lack of awareness of the Cyber field and bad hiring practices have been working against companies for a number of years now with compounding risks and shadow costs associated with it, leading to loss of business opportunities, loss of growth, loss of internal knowledge and of employee quality.”